It has many names, text phishing, SMS phishing, or even the slightly funny term; smishing. While it may sound funny, SMS phishing is a real threat and one that has gained popularity over the last few years. As more organizations embrace texting as a primary method of communication, they also open themselves up to a different variety of phishing and other social engineering attacks.
It is typical for SMS phishing attempt to come from a spoofed phone number. This is when a bad actor disguises, or spoofs, their real number to look like one that would be less suspicious. Maybe one that shares the same area code as their target. SMS phishing attacks could deliver malicious links, a request to purchase gift cards, or with instructions to provide sensitive information.
Just recently a Salvus TG employee received a text message from someone attempting to impersonate our CEO. The employee that received this had our CEO’s number saved and didn’t recognize the number that that sent the text. These details were enough for him to disregard the text as legitimate and go on with his today. However, not everyone spots these red flags and can fall victim to this style of attack. Below is a mockup of the text message our employee received.
On the surface this seems harmless. And if one of your employees received a similar text and decided not to respond, there is no cause for concern. This scam in particular doesn’t begin until the target responds. After responding, the bad actor knows that they have someone on the hook and can start making requests. If you think this seems like a simplistic style of cyberattack, you would be right. Most phishing attempts are low tech and simple. However, that doesn’t stop them from working.
By impersonating a C-Level employee or business owner, bad actors play on your employee’s fears of not following instructions or responding slowly. Most victims of this style of scam will say that since the message came from the boss, they acted out of urgency and did not scrutinize the details. This is precisely what the bad actors bets on when sending the text. Eliciting fear or urgency is one of the most effective tools of any type of phishing attack. Text or email based.
So what can be done to stay safe from this type of attack? Most of your staff should already know how to spot a phishing email. Confirm the sender, ask yourself if the message was expected, look for a sense of urgency, and avoid links from unknown sources. Applying these concepts to text message conversations are just as effective as if they were emails into an inbox. The most important thing is to simply make sure that your employees are aware of this style of threat. Sharing this article or sending out an email to your staff is a great way to introducing the concept of SMS phishing and mitigate the risk.